Discussion:
FreeRadius and WPA2-Enterprise machine authentication - With Active Directory interconnection..
Tim Reimers
2014-12-11 20:16:41 UTC
Permalink
Hi everyone -

I'm trying to design something here that I'm sure has been done before, but AFAIK, it crosses through a few different howto documents, and
being new to this, I'm just not certain that I have pieced together all the relevant HOWTo docs and not missed a
point at which the design won't communicate the needed information.

The plan is to authenticate wireless users AND their computers. (so that a user cannot BYOD to the secure network; only laptops joined to the domain will work)

I know that WPA2-Enterprise is what I need, to be able to have rotating keys, use Radius for authentication, etc.
I know that WPA2-Enterprise requires certificates to validate the machines

I already have a Microsoft CA server running in my AD environment, with the GPO needed to push out workstation certificate enrollment
and so on, for other applications.

My question is -
Can FreeRadius (3.0.1) on centos 7
be configured to do the machine authentication using certs from the Microsoft CA server?
Meraki is the wireless infrastructure, if that helps.

Thanks, Tim

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2014-12-11 20:26:46 UTC
Permalink
Post by Tim Reimers
The plan is to authenticate wireless users AND their computers. (so that a user cannot BYOD to the secure network; only laptops joined to the domain will work)
You can’t do 2 authentications for one system. If the computers have machine accounts, they can do 802.1X to get on the network. The users will do domain authentication to AD, but that’s *after* the systems are on the network.
Post by Tim Reimers
I already have a Microsoft CA server running in my AD environment, with the GPO needed to push out workstation certificate enrollment
and so on, for other applications.
Just configure it in AD. AD should push the machine credentials to the machines.
Post by Tim Reimers
My question is -
Can FreeRadius (3.0.1) on centos 7
be configured to do the machine authentication using certs from the Microsoft CA server?
Yes. Lots of people are doing this.

Alan DeKo.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tim Reimers
2014-12-11 21:42:02 UTC
Permalink
-----Original Message-----
From: freeradius-users-bounces+treimers=***@lists.freeradius.org [mailto:freeradius-users-bounces+treimers=***@lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Thursday, December 11, 2014 3:27 PM
To: FreeRadius users mailing list
Subject: Re: FreeRadius and WPA2-Enterprise machine authentication - With Active Directory interconnection..
Post by Tim Reimers
The plan is to authenticate wireless users AND their computers. (so
that a user cannot BYOD to the secure network; only laptops joined to
the domain will work)
You can't do 2 authentications for one system. If the computers have machine accounts, they can do 802.1X to get on the network. The users will do domain authentication to AD, but that's *after* the systems are on the network.

Thanks Alan.

So what you're basically saying is that the SSID/access point would use WPA2-Enterprise, and computers would authenticate themselves
and that would prevent people from bringing in a personal laptop from home and using their AD credentials to connect personal equipment to the corporate network.

But if they used a laptop that the organization owned and which was joined to the domain, certificate enrolled, it would then be automatically associated,
and the user would just log into the workstation after it connected to the wireless, and go on with work just as if they were plugged into the LAN.

If I'm assuming correctly, can you point me to the current HOWTO document for Freeradius 3.01 and AD Server 2008 for configuring the WPA2-Enterprise and certificate authentication?
I see lots of docs out there, but I don't want to accidentally start working with a document that's incorrect for the current release of Freeradius or older AD versions.
Post by Tim Reimers
I already have a Microsoft CA server running in my AD environment,
with the GPO needed to push out workstation certificate enrollment and so on, for other applications.
Just configure it in AD. AD should push the machine credentials to the machines.

It has - we're good on that part, I think, with the exception of GPO pushing the correct SSID and wireless config.
I can work that part out.

Thanks, Tim
Post by Tim Reimers
My question is -
Can FreeRadius (3.0.1) on centos 7
be configured to do the machine authentication using certs from the Microsoft CA server?
Yes. Lots of people are doing this.

Alan DeKo.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tim Reimers
2014-12-11 21:56:49 UTC
Permalink
Allow me to correct the misplaced > marks.
Apparently, my email client didn't add the needed >> marks to delineate Alan's kind reply from my confusion ;-)

Corrected below....

-----Original Message-----
Post by Tim Reimers
Post by Tim Reimers
The plan is to authenticate wireless users AND their computers. (so
that a user cannot BYOD to the secure network; only laptops joined to
the domain will work)
You can't do 2 authentications for one system. If the computers have machine accounts, they can do 802.1X to get on the network.
The users will do domain authentication to AD, but that's *after* the systems are on the network.
Thanks Alan.

So what you're basically saying is that the SSID/access point would use WPA2-Enterprise, and computers would authenticate themselves and that would prevent people from bringing in a personal laptop from home and using their AD credentials to connect personal equipment to the corporate network.

But if they used a laptop that the organization owned and which was joined to the domain, certificate enrolled, it would then be automatically associated, and the user would just log into the workstation after it connected to the wireless, and go on with work just as if they were plugged into the LAN.

If I'm assuming correctly, can you point me to the current HOWTO document for Freeradius 3.01 and AD Server 2008 for configuring the WPA2-Enterprise and certificate authentication?
I see lots of docs out there, but I don't want to accidentally start working with a document that's incorrect for the current release of Freeradius or older AD versions.
Post by Tim Reimers
Post by Tim Reimers
I already have a Microsoft CA server running in my AD environment,
with the GPO needed to push out workstation certificate enrollment and so on, for other applications.
Just configure it in AD. AD should push the machine credentials to the machines.
It has - we're good on that part, I think, with the exception of GPO pushing the correct SSID and wireless config.
I can work that part out.

Thanks, Tim
Post by Tim Reimers
My question is -
Can FreeRadius (3.0.1) on centos 7
be configured to do the machine authentication using certs from the Microsoft CA server?
Yes. Lots of people are doing this.

Alan DeKo.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan Buxey
2014-12-11 22:13:19 UTC
Permalink
You define policies to do what you want. Eg unless the username looks like host/*******.domain then reject

However, I would say don't do some of what you are planning. Leverage the functionality of 802.1X and your APs and let people log in with AD credentials, embrace BYOD but drop them onto a different VLAN

alan
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Loading...